On Monday 13 July 2009 14:15:18 Bob McConnell wrote:
> From: Daniel Kolbo
>
> > Daniel Brown wrote:
> >> On Sun, Jul 12, 2009 at 12:37, Daniel Kolbo<kolb0...@umn.edu> wrote:
> >>> Hello,
> >>>
> >>> How does one continue a php session on a different domain (domain B)
> >>> than the domain (domain A) that started the session?
> >>
> >> Simple answer: you don't.
> >
> > Thanks for the responses.
> >
> > Re: Simple answer
> > I thought of another example. My bank's website. I sign-in and
> > authenticate with "bank.com". Then, i click credit card from bank.com
> > and i'm redirected to "creditcard.com" without me having to reinput
> > user/pass. They clearly do it (granted they have a lot more resources
> > then I do, but i'd still like to know how they are doing it).
>
> My bank also does this, but it only works if Javascript is enabled when
> I first log in. Otherwise the initial login fails and I do it again on
> the second site. I haven't actually looked at the page sources to see
> what they do. But I have NoScript configured to block all JS by default
> so the initial login attempt always fails. It also reports blocked XSS
> attempts on both pages. So whatever they are doing does not appear to be
> very safe.
>
> Bob McConnell

Advertising

Just a thought, but as the session ID normally gets automatically added to the
header request by a browser, could you not add it into the form itself as you
move from one domain to another?
Afaik, PHP tends to prefer the PHPSESSID as an element in the $_COOKIE array
(or the $_REQUEST array which is made up from the cookie as well) so you
might be able to do some clever playing around to achieve the effect?
--
Thanks,
Ash
http://www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php